CTF Web Exploitation Quick reference for web CTF challenges. Each technique has a one-liner here; see supporting files for full details with payloads and code. Additional Resources server-side.md - Server-side attacks: SQLi, SSTI, SSRF, XXE, command injection, code injection (Ruby/Perl/Python), ReDoS, file write→RCE, eval bypass, ExifTool CVE, Go rune/byte mismatch, zip symlink client-side.md - Client-side attacks: XSS, CSRF, CSPT, cache poisoning, DOM tricks, React input filling, hidden elements auth-and-access.md - Auth/authz attacks: JWT, session, password inference, weak validation, client-side gates, NoSQL auth bypass node-and-prototype.md - Node.js: prototype pollution, VM sandbox escape, Happy-DOM chain, flatnest CVE, Lodash+Pug AST injection web3.md - Blockchain/Web3: Solidity exploits, proxy patterns, ABI encoding tricks, Foundry tooling cves.md - CVE-specific exploits: Next.js middleware bypass, curl credential leak, Uvicorn CRLF, urllib scheme bypass, ExifTool DjVu, broken auth, AAEncode/JJEncode, protocol multiplexing Reconnaissance View source for HTML comments, check JS/CSS files for internal APIs Look for .map source map files Check response headers for custom X- headers and auth hints Common paths: /robots.txt , /sitemap.xml , /.well-known/ , /admin , /api , /debug , /.git/ , /.env Search JS bundles: grep -oE '"/api/[^"]+"' for hidden endpoints Check for client-side validation that can be bypassed Compare what the UI sends vs. what the API accepts (read JS bundle for all fields) SQL Injection Quick Reference Detection: Send ' — syntax error indicates SQLi ' OR '1'='1 # Classic auth bypass ' OR 1=1-- # Comment termination username=\&password= OR 1=1-- # Backslash escape quote bypass ' UNION SELECT sql,2,3 FROM sqlite_master-- # SQLite schema 0x6d656f77 # Hex encoding for 'meow' (bypass quotes) See server-side.md for second-order SQLi, LIKE brute-force, SQLi→SSTI chains. XSS Quick Reference < script

alert ( 1 ) </ script

< img src = x onerror = alert ( 1 )

< svg onload = alert ( 1 )

Filter bypass: hex \x3cscript\x3e , entities <script> , case mixing

injection. See client-side.md . DOM Clobbering + MIME Mismatch .jpg served as text/html ;

clobbers JS globals. See client-side.md . HTTP Request Smuggling via Cache Proxy Cache proxy desync for cookie theft via incomplete POST body. See client-side.md . Path Traversal: URL-Encoded Slash Bypass %2f bypasses nginx route matching but filesystem resolves it. See server-side.md . WeasyPrint SSRF & File Read (CVE-2024-28184) or -- WeasyPrint embeds fetched content as PDF attachments, bypassing header checks. Boolean oracle via /Type /EmbeddedFile presence. See server-side.md and cves.md . MongoDB Regex / $where Blind Injection Break out of /.../i with a^/)||()&&(/a^ . Binary search charCodeAt() for extraction. See server-side.md . Pongo2 / Go Template Injection {% include "/flag.txt" %} in uploaded file + path traversal in template parameter. See server-side.md . ZIP Upload with PHP Webshell Upload ZIP containing .php file → extract to web-accessible dir → file_get_contents('/flag.txt') . See server-side.md . basename() Bypass for Hidden Files basename() only strips dirs, doesn't filter .lock or hidden files in same directory. See server-side.md . Custom Linear MAC Forgery Linear XOR-based signing with secret blocks → recover from known pairs → forge for target. See auth-and-access.md . CSS/JS Paywall Bypass Content behind CSS overlay ( position: fixed; z-index: 99999 ) is still in the raw HTML. curl or view-source bypasses it instantly. See client-side.md . Admin Bot javascript: URL Scheme Bypass new URL() validates syntax only, not protocol — javascript: URLs pass and execute in Puppeteer's authenticated context. CSP/SRI on the target page are irrelevant since JS runs in navigation context. See client-side.md . Common Flag Locations /flag.txt, /flag, /app/flag.txt, /home/*/flag* Environment variables: /proc/self/environ Database: flag, flags, secret tables Response headers: x-flag, x-archive-tag, x-proof Hidden DOM: display:none elements, data attributes

ctf-web

安装